test: tokenopn.c File Reference

00186 : 00187 00188 Open a token object associated with a process and return a handle 00189 that may be used to access that token. 00190 00191 Arguments: 00192 00193 ProcessHandle - Specifies the process whose token is to be 00194 opened. 00195 00196 DesiredAccess - Is an access mask indicating which access types 00197 are desired to the token. These access types are reconciled 00198 with the Discretionary Access Control list of the token to 00199 determine whether the accesses will be granted or denied. 00200 00201 TokenHandle - Receives the handle of the newly opened token. 00202 00203 Return Value: 00204 00205 STATUS_SUCCESS - Indicates the operation was successful. 00206 00207 --*/ 00208 { 00209 00210 PVOID Token; 00211 KPROCESSOR_MODE PreviousMode; 00212 NTSTATUS Status; 00213 00214 HANDLE LocalHandle; 00215 00216 PAGED_CODE(); 00217 00218 PreviousMode = KeGetPreviousMode(); 00219 00220 // 00221 // Probe parameters 00222 // 00223 00224 if (PreviousMode != KernelMode) { 00225 00226 try { 00227 00228 ProbeForWriteHandle(TokenHandle); 00229 00230 } except(EXCEPTION_EXECUTE_HANDLER) { 00231 return GetExceptionCode(); 00232 } // end_try 00233 00234 } //end_if 00235 00236 00237 // 00238 // Valdiate access to the process and obtain a pointer to the 00239 // process's token. If successful, this will cause the token's 00240 // reference count to be incremented. 00241 // 00242 00243 Status = PsOpenTokenOfProcess( ProcessHandle, ((PACCESS_TOKEN *)&Token)); 00244 00245 if (!NT_SUCCESS(Status)) { 00246 return Status; 00247 } 00248 00249 // 00250 // Now try to open the token for the specified desired access 00251 // 00252 00253 Status = ObOpenObjectByPointer( 00254 (PVOID)Token, // Object 00255 0, // HandleAttributes 00256 NULL, // AccessState 00257 DesiredAccess, // DesiredAccess 00258 SepTokenObjectType, // ObjectType 00259 PreviousMode, // AccessMode 00260 &LocalHandle // Handle 00261 ); 00262 00263 // 00264 // And decrement the reference count of the token to counter 00265 // the action performed by PsOpenTokenOfProcess(). If the open 00266 // was successful, the handle will have caused the token's 00267 // reference count to have been incremented. 00268 // 00269 00270 ObDereferenceObject( Token ); 00271 00272 // 00273 // Return the new handle 00274 // 00275 00276 if (NT_SUCCESS(Status)) { 00277 00278 try { 00279 00280 *TokenHandle = LocalHandle; 00281 00282 } except(EXCEPTION_EXECUTE_HANDLER) { 00283 00284 return GetExceptionCode(); 00285 00286 } 00287 } 00288 00289 return Status; 00290 00291 }

00468 : 00469 00470 Open a token object associated with a thread and return a handle that 00471 may be used to access that token. 00472 00473 Arguments: 00474 00475 ThreadHandle - Specifies the thread whose token is to be opened. 00476 00477 DesiredAccess - Is an access mask indicating which access types 00478 are desired to the token. These access types are reconciled 00479 with the Discretionary Access Control list of the token to 00480 determine whether the accesses will be granted or denied. 00481 00482 OpenAsSelf - Is a boolean value indicating whether the access should 00483 be made using the calling thread's current security context, which 00484 may be that of a client if impersonating, or using the caller's 00485 process-level security context. A value of FALSE indicates the 00486 caller's current context should be used un-modified. A value of 00487 TRUE indicates the request should be fulfilled using the process 00488 level security context. 00489 00490 This parameter is necessary to allow a server process to open 00491 a client's token when the client specified IDENTIFICATION level 00492 impersonation. In this case, the caller would not be able to 00493 open the client's token using the client's context (because you 00494 can't create executive level objects using IDENTIFICATION level 00495 impersonation). 00496 00497 TokenHandle - Receives the handle of the newly opened token. 00498 00499 Return Value: 00500 00501 STATUS_SUCCESS - Indicates the operation was successful. 00502 00503 STATUS_NO_TOKEN - Indicates an attempt has been made to open a 00504 token associated with a thread that is not currently 00505 impersonating a client. 00506 00507 STATUS_CANT_OPEN_ANONYMOUS - Indicates the client requested anonymous 00508 impersonation level. An anonymous token can not be openned. 00509 00510 --*/ 00511 { 00512 00513 KPROCESSOR_MODE PreviousMode; 00514 NTSTATUS Status; 00515 00516 PVOID Token; 00517 PTOKEN NewToken = NULL; 00518 BOOLEAN CopyOnOpen; 00519 BOOLEAN EffectiveOnly; 00520 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 00521 SE_IMPERSONATION_STATE DisabledImpersonationState; 00522 BOOLEAN RestoreImpersonationState = FALSE; 00523 00524 HANDLE LocalHandle; 00525 SECURITY_DESCRIPTOR SecurityDescriptor; 00526 OBJECT_ATTRIBUTES ObjectAttributes; 00527 PACL NewAcl = NULL; 00528 PETHREAD Thread; 00529 PETHREAD OriginalThread = NULL; 00530 PACCESS_TOKEN PrimaryToken; 00531 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext; 00532 00533 PAGED_CODE(); 00534 00535 PreviousMode = KeGetPreviousMode(); 00536 00537 // 00538 // Probe parameters 00539 // 00540 00541 if (PreviousMode != KernelMode) { 00542 00543 try { 00544 00545 ProbeForWriteHandle(TokenHandle); 00546 00547 } except(EXCEPTION_EXECUTE_HANDLER) { 00548 return GetExceptionCode(); 00549 } // end_try 00550 00551 } //end_if 00552 00553 // 00554 // Valdiate access to the thread and obtain a pointer to the 00555 // thread's token (if there is one). If successful, this will 00556 // cause the token's reference count to be incremented. 00557 // 00558 // This routine disabled impersonation as necessary to properly 00559 // honor the OpenAsSelf flag. 00560 // 00561 00562 Status = SepOpenTokenOfThread( ThreadHandle, 00563 OpenAsSelf, 00564 ((PACCESS_TOKEN *)&Token), 00565 &OriginalThread, 00566 &CopyOnOpen, 00567 &EffectiveOnly, 00568 &ImpersonationLevel 00569 ); 00570 00571 if (!NT_SUCCESS(Status)) { 00572 return Status; 00573 } 00574 00575 00576 // 00577 // The token was successfully referenced. 00578 // 00579 00580 // 00581 // We need to create and/or open a token object, so disable impersonation 00582 // if necessary. 00583 // 00584 00585 if (OpenAsSelf) { 00586 RestoreImpersonationState = PsDisableImpersonation( 00587 PsGetCurrentThread(), 00588 &DisabledImpersonationState 00589 ); 00590 } 00591 00592 // 00593 // If the CopyOnOpen flag is not set, then the token can be 00594 // opened directly. Otherwise, the token must be duplicated, 00595 // and a handle to the duplicate returned. 00596 // 00597 00598 if (CopyOnOpen) { 00599 00600 // 00601 // Create the new security descriptor for the token. 00602 // 00603 // We must obtain the correct SID to put into the Dacl. Do this 00604 // by finding the process associated with the passed thread 00605 // and grabbing the User SID out of that process's token. 00606 // If we just use the current SubjectContext, we'll get the 00607 // SID of whoever is calling us, which isn't what we want. 00608 // 00609 00610 Status = ObReferenceObjectByHandle( 00611 ThreadHandle, 00612 THREAD_ALL_ACCESS, 00613 PsThreadType, 00614 KernelMode, 00615 (PVOID)&Thread, 00616 NULL 00617 ); 00618 00619 // 00620 // Verify that the handle is still pointer to the same thread\ 00621 // BUGBUG: wrong error code. 00622 // 00623 00624 if (NT_SUCCESS(Status) && (Thread != OriginalThread)) { 00625 Status = STATUS_OBJECT_TYPE_MISMATCH; 00626 } 00627 00628 if (NT_SUCCESS(Status)) { 00629 00630 PrimaryToken = PsReferencePrimaryToken(Thread->ThreadsProcess); 00631 00632 Status = SepCreateImpersonationTokenDacl( 00633 (PTOKEN)Token, 00634 PrimaryToken, 00635 &NewAcl 00636 ); 00637 00638 PsDereferencePrimaryToken( PrimaryToken ); 00639 00640 if (NT_SUCCESS( Status )) { 00641 00642 if (NewAcl != NULL) { 00643 00644 // 00645 // There exist tokens that either do not have security descriptors at all, 00646 // or have security descriptors, but do not have DACLs. In either case, do 00647 // nothing. 00648 // 00649 00650 Status = RtlCreateSecurityDescriptor ( &SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION ); 00651 ASSERT( NT_SUCCESS( Status )); 00652 00653 Status = RtlSetDaclSecurityDescriptor ( 00654 &SecurityDescriptor, 00655 TRUE, 00656 NewAcl, 00657 FALSE 00658 ); 00659 00660 ASSERT( NT_SUCCESS( Status )); 00661 } 00662 00663 InitializeObjectAttributes( 00664 &ObjectAttributes, 00665 NULL, 00666 0L, 00667 NULL, 00668 NewAcl == NULL ? NULL : &SecurityDescriptor 00669 ); 00670 00671 // 00672 // Open a copy of the token 00673 // 00674 00675 Status = SepDuplicateToken( 00676 (PTOKEN)Token, // ExistingToken 00677 &ObjectAttributes, // ObjectAttributes 00678 EffectiveOnly, // EffectiveOnly 00679 TokenImpersonation, // TokenType 00680 ImpersonationLevel, // ImpersonationLevel 00681 KernelMode, // RequestorMode must be kernel mode 00682 &NewToken 00683 ); 00684 00685 if (NT_SUCCESS( Status )) { 00686 00687 // 00688 // Reference the token so it doesn't go away 00689 // 00690 00691 ObReferenceObject(NewToken); 00692 00693 // 00694 // Insert the new token 00695 // 00696 00697 Status = ObInsertObject( NewToken, 00698 NULL, 00699 DesiredAccess, 00700 0, 00701 (PVOID *)NULL, 00702 &LocalHandle 00703 ); 00704 } 00705 } 00706 } 00707 00708 00709 } else { 00710 00711 // 00712 // We do not have to modify the security on the token in the static case, 00713 // because in all the places in the system where impersonation takes place 00714 // over a secure transport (e.g., LPC), CopyOnOpen is set. The only reason 00715 // we'be be here is if the impersonation is taking place because someone did 00716 // an NtSetInformationThread and passed in a token. 00717 // 00718 // In that case, we absolutely do not want to give the caller guaranteed 00719 // access, because that would allow anyone who has access to a thread to 00720 // impersonate any of that thread's clients for any access. 00721 // 00722 00723 // 00724 // Open the existing token 00725 // 00726 00727 Status = ObOpenObjectByPointer( 00728 (PVOID)Token, // Object 00729 0, // HandleAttributes 00730 NULL, // AccessState 00731 DesiredAccess, // DesiredAccess 00732 SepTokenObjectType, // ObjectType 00733 PreviousMode, // AccessMode 00734 &LocalHandle // Handle 00735 ); 00736 } 00737 00738 if (NewAcl != NULL) { 00739 ExFreePool( NewAcl ); 00740 } 00741 00742 if (RestoreImpersonationState) { 00743 PsRestoreImpersonation( 00744 PsGetCurrentThread(), 00745 &DisabledImpersonationState 00746 ); 00747 } 00748 00749 // 00750 // And decrement the reference count of the existing token to counter 00751 // the action performed by PsOpenTokenOfThread. If the open 00752 // was successful, the handle will have caused the token's 00753 // reference count to have been incremented. 00754 // 00755 00756 ObDereferenceObject( Token ); 00757 00758 if (NT_SUCCESS( Status ) && CopyOnOpen) { 00759 00760 // 00761 // Assign the newly duplicated token to the thread. 00762 // 00763 00764 PsImpersonateClient( Thread, 00765 NewToken, 00766 FALSE, // turn off CopyOnOpen flag 00767 EffectiveOnly, 00768 ImpersonationLevel 00769 ); 00770 00771 } 00772 00773 // 00774 // We've impersonated the token so let go of oure reference 00775 // 00776 00777 if (NewToken != NULL) { 00778 ObDereferenceObject( NewToken ); 00779 } 00780 00781 if (CopyOnOpen && (Thread != NULL)) { 00782 00783 ObDereferenceObject( Thread ); 00784 } 00785 00786 if (OriginalThread != NULL) { 00787 ObDereferenceObject(OriginalThread); 00788 } 00789 00790 // 00791 // Return the new handle 00792 // 00793 00794 if (NT_SUCCESS(Status)) { 00795 try { *TokenHandle = LocalHandle; } 00796 except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } 00797 } 00798 00799 return Status; 00800 00801 }

00056 : 00057 00058 This routine modifies the DACL protecting the passed token to allow 00059 the current user (described by the PrimaryToken parameter) full access. 00060 This permits callers of NtOpenThreadToken to call with OpenAsSelf==TRUE 00061 and succeed. 00062 00063 The new DACL placed on the token is as follows: 00064 00065 ACE 0 - Server gets TOKEN_ALL_ACCESS 00066 00067 ACE 1 - Client gets TOKEN_ALL_ACCESS 00068 00069 ACE 2 - Admins gets TOKEN_ALL_ACCESS 00070 00071 ACE 3 - System gets TOKEN_ALL_ACCESS 00072 00073 ACE 4 - Restricted gets TOKEN_ALL_ACCESS 00074 00075 00076 Arguments: 00077 00078 Token - The token whose protection is to be modified. 00079 00080 PrimaryToken - Token representing the subject to be granted access. 00081 00082 Acl - Returns the modified ACL, allocated out of PagedPool. 00083 00084 00085 Return Value: 00086 00087 00088 --*/ 00089 00090 { 00091 PSID ServerUserSid; 00092 PSID ClientUserSid; 00093 NTSTATUS Status = STATUS_SUCCESS; 00094 ULONG AclLength; 00095 PACL NewDacl; 00096 PSECURITY_DESCRIPTOR OldDescriptor; 00097 BOOLEAN MemoryAllocated; 00098 PACL OldDacl; 00099 BOOLEAN DaclPresent; 00100 BOOLEAN DaclDefaulted; 00101 00102 PAGED_CODE(); 00103 00104 ServerUserSid = ((PTOKEN)PrimaryToken)->UserAndGroups[0].Sid; 00105 00106 ClientUserSid = Token->UserAndGroups[0].Sid; 00107 00108 // 00109 // Compute how much space we'll need for the new DACL. 00110 // 00111 00112 AclLength = 5 * sizeof( ACCESS_ALLOWED_ACE ) - 5 * sizeof( ULONG ) + 00113 SeLengthSid( ServerUserSid ) + SeLengthSid( SeLocalSystemSid ) + 00114 SeLengthSid( ClientUserSid ) + SeLengthSid( SeAliasAdminsSid ) + 00115 SeLengthSid( SeRestrictedSid ) + sizeof( ACL ); 00116 00117 NewDacl = ExAllocatePool( PagedPool, AclLength ); 00118 00119 if (NewDacl == NULL) { 00120 00121 *Acl = NULL; 00122 return STATUS_INSUFFICIENT_RESOURCES; 00123 } 00124 00125 Status = RtlCreateAcl( NewDacl, AclLength, ACL_REVISION2 ); 00126 ASSERT(NT_SUCCESS( Status )); 00127 00128 Status = RtlAddAccessAllowedAce ( 00129 NewDacl, 00130 ACL_REVISION2, 00131 TOKEN_ALL_ACCESS, 00132 ServerUserSid 00133 ); 00134 ASSERT( NT_SUCCESS( Status )); 00135 00136 Status = RtlAddAccessAllowedAce ( 00137 NewDacl, 00138 ACL_REVISION2, 00139 TOKEN_ALL_ACCESS, 00140 ClientUserSid 00141 ); 00142 ASSERT( NT_SUCCESS( Status )); 00143 00144 Status = RtlAddAccessAllowedAce ( 00145 NewDacl, 00146 ACL_REVISION2, 00147 TOKEN_ALL_ACCESS, 00148 SeAliasAdminsSid 00149 ); 00150 ASSERT( NT_SUCCESS( Status )); 00151 00152 Status = RtlAddAccessAllowedAce ( 00153 NewDacl, 00154 ACL_REVISION2, 00155 TOKEN_ALL_ACCESS, 00156 SeLocalSystemSid 00157 ); 00158 ASSERT( NT_SUCCESS( Status )); 00159 00160 if(ARGUMENT_PRESENT(((PTOKEN)PrimaryToken)->RestrictedSids) || 00161 ARGUMENT_PRESENT(Token->RestrictedSids)) { 00162 Status = RtlAddAccessAllowedAce ( 00163 NewDacl, 00164 ACL_REVISION2, 00165 TOKEN_ALL_ACCESS, 00166 SeRestrictedSid 00167 ); 00168 ASSERT( NT_SUCCESS( Status )); 00169 } 00170 00171 *Acl = NewDacl; 00172 return STATUS_SUCCESS; 00173 }

00306 : 00307 00308 This function does the thread specific processing of 00309 an NtOpenThreadToken() service. 00310 00311 The service validates that the handle has appropriate access 00312 to reference the thread. If so, it goes on to increment 00313 the reference count of the token object to prevent it from 00314 going away while the rest of the NtOpenThreadToken() request 00315 is processed. 00316 00317 NOTE: If this call completes successfully, the caller is responsible 00318 for decrementing the reference count of the target token. 00319 This must be done using PsDereferenceImpersonationToken(). 00320 00321 Arguments: 00322 00323 ThreadHandle - Supplies a handle to a thread object. 00324 00325 OpenAsSelf - Is a boolean value indicating whether the access should 00326 be made using the calling thread's current security context, which 00327 may be that of a client (if impersonating), or using the caller's 00328 process-level security context. A value of FALSE indicates the 00329 caller's current context should be used un-modified. A value of 00330 TRUE indicates the request should be fulfilled using the process 00331 level security context. 00332 00333 Token - If successful, receives a pointer to the thread's token 00334 object. 00335 00336 CopyOnOpen - The current value of the Thread->Client->CopyOnOpen field. 00337 00338 EffectiveOnly - The current value of the Thread->Client->EffectiveOnly field. 00339 00340 ImpersonationLevel - The current value of the Thread->Client->ImpersonationLevel 00341 field. 00342 00343 Return Value: 00344 00345 STATUS_SUCCESS - Indicates the call completed successfully. 00346 00347 STATUS_NO_TOKEN - Indicates the referenced thread is not currently 00348 impersonating a client. 00349 00350 STATUS_CANT_OPEN_ANONYMOUS - Indicates the client requested anonymous 00351 impersonation level. An anonymous token can not be openned. 00352 00353 status may also be any value returned by an attemp the reference 00354 the thread object for THREAD_QUERY_INFORMATION access. 00355 00356 --*/ 00357 00358 { 00359 00360 NTSTATUS 00361 Status; 00362 00363 KPROCESSOR_MODE 00364 PreviousMode; 00365 00366 SE_IMPERSONATION_STATE 00367 DisabledImpersonationState; 00368 00369 BOOLEAN 00370 RestoreImpersonationState = FALSE; 00371 00372 PreviousMode = KeGetPreviousMode(); 00373 00374 00375 // 00376 // Disable impersonation if necessary 00377 // 00378 00379 if (OpenAsSelf) { 00380 RestoreImpersonationState = PsDisableImpersonation( 00381 PsGetCurrentThread(), 00382 &DisabledImpersonationState 00383 ); 00384 } 00385 00386 // 00387 // Make sure the handle grants the appropriate access to the specified 00388 // thread. 00389 // 00390 00391 Status = ObReferenceObjectByHandle( 00392 ThreadHandle, 00393 THREAD_QUERY_INFORMATION, 00394 PsThreadType, 00395 PreviousMode, 00396 (PVOID *)Thread, 00397 NULL 00398 ); 00399 00400 00401 00402 00403 if (RestoreImpersonationState) { 00404 PsRestoreImpersonation( 00405 PsGetCurrentThread(), 00406 &DisabledImpersonationState 00407 ); 00408 } 00409 00410 if (!NT_SUCCESS(Status)) { 00411 return Status; 00412 } 00413 00414 // 00415 // Reference the impersonation token, if there is one 00416 // 00417 00418 (*Token) = PsReferenceImpersonationToken( *Thread, 00419 CopyOnOpen, 00420 EffectiveOnly, 00421 ImpersonationLevel 00422 ); 00423 00424 00425 00426 00427 // 00428 // Make sure there is a token 00429 // 00430 00431 if ((*Token) == NULL) { 00432 ObDereferenceObject( *Thread ); 00433 (*Thread) = NULL; 00434 return STATUS_NO_TOKEN; 00435 } 00436 00437 00438 // 00439 // Make sure the ImpersonationLevel is high enough to allow 00440 // the token to be openned. 00441 // 00442 00443 if ((*ImpersonationLevel) <= SecurityAnonymous) { 00444 PsDereferenceImpersonationToken( (*Token) ); 00445 ObDereferenceObject( *Thread ); 00446 (*Thread) = NULL; 00447 (*Token) = NULL; 00448 return STATUS_CANT_OPEN_ANONYMOUS; 00449 } 00450 00451 00452 return STATUS_SUCCESS; 00453 00454 }


Functions
NTSTATUS	SepCreateImpersonationTokenDacl (IN PTOKEN Token, IN PACCESS_TOKEN PrimaryToken, OUT PACL *Acl)
NTSTATUS	NtOpenProcessToken (IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
NTSTATUS	SepOpenTokenOfThread (IN HANDLE ThreadHandle, IN BOOLEAN OpenAsSelf, OUT PACCESS_TOKEN Token, OUT PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
NTSTATUS	NtOpenThreadToken (IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, OUT PHANDLE TokenHandle)

tokenopn.c File Reference

Functions

Function Documentation